Avast Scandal: Why We Stopped Recommending Avast & AVG

Our readers have been messaging us and asking why we’re still ranking Avast and AVG on our website, despite them being caught up in a serious scandal. Well, after a lot of consideration and back and forth between departments, we’ve decided to finally remove them from all of our lists.

Why? Because Avast — which also owns AVG — has been caught in a firestorm of controversy over the last several months regarding serious allegations of unethical business practices.

The Avast Online Security browser extension was deleted from Mozilla, Chrome, and Opera marketplaces in December 2019 after claims that it was gathering a suspicious amount of user data — not only every website visited, but also user location, search history, age, gender, social media identities, and even personal shipping information. Three months later, Avast shut down a subsidiary company, Jumpshot, in the wake of investigative reports documenting the sale of personal data from around 100 million users, all gained through improper user surveillance.

The SafetyDetectives team has carefully considered our decision to scrub Avast from our website over the next several weeks. At the end of the day, any company that faces such severe allegations has lost our faith and cannot receive our seal of approval.

Here’s How Avast Allegedly Spied on Its Users for the Last 7 Years

Wladimir Palant — the founder of Adblock Plus — was the first person to sound the alarm about Avast’s predatory practices. In October 2019, he posted the incriminating information to his blog with a detailed explanation of how he claims Avast was able to “transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior.”

Essentially, Avast and AVG’s Online Security extensions were recording their users’ every click — documenting which websites were visited, when, and from where. While Avast claimed that data collection was a necessary part of the Online Security plugin, browser extensions from competing brands seemed to work fine without collecting and retaining such a large amount of personal information.

Then came the disclosure that this data was being sold to big corporate clients like Home Depot, Google, and Pepsi, through an Avast subsidiary called Jumpshot.

Avast Subsidiary Sold User Data For Millions of Dollars in Profit

In 2013, Avast acquired Jumpshot, a company that aggregated “anonymous” user data and sold that data to online businesses. Jumpshot’s public information was very vague, but they claimed to have obtained “clickstream data from 100 million online shoppers and 40 million app users”. The source of Jumpshot’s user data was the spyware embedded in Avast and AVG’s Online Security Browser extensions. Palant was a driving force behind this revelation, but the nail in Jumpshot’s coffin was this article by VICE Motherboard, published in early 2020. It lists out the corporations that purchased data from Jumpshot along with whistleblower testimony and leaked internal documents from Avast and Jumpshot. Jumpshot claimed that no “Personal Identifying Information” was included in the data they sold, but many experts were not convinced.

According to the investigation, Jumpshot’s data contained every click performed by Avast Online Security users along with time stamps (accurate to the millisecond), country, city, and zip code information from users’ IP addresses. The algorithm which was designed to censor specific data like email addresses and social media profiles was exposed by Palant to be seriously malfunctioning — whole shipment details from mail carriers, including names and home addresses, were included in data packets sold by Jumpshot.

US Senators and Investigative Journalists Held Avast Accountable

Oregon Senator Ron Wyden, a well-known proponent of cybersecurity, net neutrality, and digital privacy, called out Avast publicly in December 2019, stating on Twitter that, “Americans expect cybersecurity and privacy software to protect their data, not sell it to marketers. I’m looking into this troubling report about Avast and its failure to protect consumers’ data.”

Then, after being removed from the Chrome, Mozilla, and Opera web stores, Avast had the opportunity to abandon their privacy violating ways and start to act like a respectable cybersecurity company. They changed the privacy settings of the Online Security browser extension, which was returned to web stores at the end of December. However, as the VICE Motherboard exposé revealed, they simply moved their data collection to the main antivirus suite, embedding a data collection “opt-in” question during the installation process.

With the publication of the VICE Motherboard article, and in the face of unanimous public disapproval, Avast finally shut down Jumpshot completely in February 2020. But for SafetyDetectives, and many others in the cybersecurity world, it was too little, too late. 7 years of secretly profiting off of user data makes this one of the largest ethical violations in antivirus software history.

Why Ethical Violations by Antivirus Companies Are Especially Serious

Antivirus software is some of the most invasive software around. We give our antivirus software an unprecedented amount of access to our system — sensitive files, browsing history, financial information, and personal networks are all visible to our antivirus. We sign privacy policies and user agreements with the assumption that there isn’t deceptive language buried in all the legalese. But by violating their customer’s privacy in this way, Avast has corroded the relationship between users and antivirus products around the world. There are enough threats from hackers and invasive governments to worry about — antivirus providers should not be another threat to user security.

Jumpshot has been officially shut down, and Avast Online Security is back on Chrome and Mozilla web stores, with tighter privacy protections. But the fact remains that Avast was unethically profiting off of their users’ data for 7 years, and the only thing that stopped them was the citizen reportage of Wladimir Palant and the investigative journalists at VICE Motherboard. In our opinion, if independent professionals hadn’t rigorously documented these serious violations and notified the public, then Avast would still be running this scam. It’s even arguable that Avast only really considered changing their practices after a US Senator stepped up to confront them.

User Feedback Inspired Us to Remove Avast from SafetyDetectives

Here at SafetyDetectives, we’ve had other issues with Avast over the years — following a negative review, they actually pulled their advertising from our website. Still, we have always endeavored to bring you the best cybersecurity products on the internet, regardless of our business relationships with the companies that keep our site profitable. That’s why we continued to include Avast and AVG on our lists — we even kept them as our number 1 pick for the best antivirus for mobile devices:

However, amid such glaring violations of user privacy which have been happening over the last 7 years, we can no longer continue to promote Avast or any of their subsidiaries (like AVG) on our site.

We’ve been considering a move like this for a long time. Even though a lot of top review sites continue promoting — and profiting from — Avast, we’ve been steadily moving them off of our lists for a while. The ultimate motivation for us was all of the feedback we received from our readers with messages like this: “After the data selling incident from AVAST, this software shouldn’t get any positive review or recommendation.”

We completely agree. These kinds of violations of privacy should be disturbing to anybody who believes in basic human rights. This is why it’s so important for computer users to stay on top of these issues and protect their computers with trustworthy antivirus software.

It isn’t always the easy or popular thing to do, but standing up to huge companies when they violate our rights is important. SafetyDetectives was founded with the intention of providing people around the globe with the tools to keep their data safe in the digital age — safe from hackers, unethical governments, and even predatory cybersecurity companies like Avast who have shown the world how little they care about their users.

While Avast is back in most major web stores, and most of their 400 million users continue to utilize their software, ignorant of these ethical violations, all of us on the SafetyDetectives team feel proud to stand firm in our convictions.

About the Author

Ben Martens is a cybersecurity journalist with a background in internet ethics, malware testing, and public policy. He resides in Oregon, and when he's not advocating for the rights of internet users, he's walking with his dog and inventing stories with his daughter.